Configuring Certificates for MIME or SMIME Messages

To help secure data transfer on BizTalk Server, you must associate certificates installed in the certificate stores with the appropriate BizTalk artifacts. This applies to MIME/SMIME-encoded messages. It also applies to AS2 transport, which transports MIME/SMIME messages.

Use the following table as a reference for the certificate usage scenarios and configuration options available in BizTalk Server. Detailed procedures are provided in the topics listed in the "In This Section" heading at the end of this topic.

Certificate Usage User Context Certificate Store Location Certificate Type Configuration Parameters in the BizTalk Administration Console
Encryption (Sending) Account used by the host instance associated with the send handler Log on to each computer running BizTalk Server that will host S/MIME encoder pipelines and import the encryption certificate into the Local Computer \ Other People store. Trading partner public certificate - Specify values for the encryption certificate Common Name and Thumbprint on the Certificate page of the Send Port Properties dialog box.
- Specify pipeline Encode options in the Configure Pipeline dialog box. The Configure Pipeline dialog box is displayed by clicking the button next to the Send pipeline drop-down list on the General page of the Send Port Properties dialog box.
Decryption (Receiving) Account used by the host instance associated with the receive handler Log on to each computer running BizTalk Server that will host S/MIME decoder pipelines as each host instance service account, and import the decryption certificate to the Current User \ Personal store. Note: For pipeline decryption to succeed on computers running IIS 6.0 or later, ensure that the account for the IIS application pool and the account used by the host instance associated with the receive handler are the same and that this account is a member of the <machineName>\IIS_WPG group. For more information about setting IIS process identity for IIS see Guidelines for Resolving IIS Permissions Problems (https://go.microsoft.com/fwlink/?LinkId=155161) in BizTalk Server Help. These processes must run under the same account to ensure that the account profile is loaded which in turns loads the registry keys required to perform decryption in the pipeline. For performance reasons, IIS does not load the account profile when starting the associated w3wp.exe process so the BizTalk Server host instance must be configured with the same account so that BizTalk Server will load the account profile and registry keys. Own private certificate - Specify values for the decryption certificate Common Name and Thumbprint on the Certificates page of each Host Properties dialog box.
- Specify pipeline Decode options in the Configure Pipeline dialog box. The Configure Pipeline dialog box is displayed by clicking the button next to the Receive pipeline drop-down list on the General page of the Receive Location Properties dialog box.
Signature (Sending) Account used by the host instance associated with the send handler Log on to each computer running BizTalk Server that will host S/MIME encoder pipelines as each host instance service account, and import the signature certificate to the Current User \ Personal store. Own private certificate - Specify values for the signature certificate Common Name and Thumbprint on the Certificate page of the BizTalk Group Properties dialog box. Note: Only one signature certificate can be specified per each BizTalk Server group.
- Specify pipeline Encode options in the Configure Pipeline dialog box. The Configure Pipeline dialog box is displayed by clicking the button next to the Send pipeline drop-down list on the General page of the Send Port Properties dialog box.
Signature Verification (Receiving) Account used by the host instance associated with the receive handler Log on to each computer running BizTalk Server that will host S/MIME decoder pipelines and import the signature certificate to the Local Computer \ Other People store. Trading partner public certificate - Specify values for the verification certificate Common Name and Thumbprint on the Certificates page of each Party Properties dialog box.
- Specify pipeline Decode options in the Configure Pipeline dialog box. The Configure Pipeline dialog box is displayed by clicking the button next to the Receive pipeline drop-down list on the General page of the Receive Location Properties dialog box. Note: The certificate used to verify a signature for a party must be unique from the certificates used to verify signatures for other parties. Note: Configuration of the Decode option requires that a pipeline with the MIME/SMIME decoder component is deployed.
Party Resolution (Receiving) Account used by the host instance associated with the receive handler Log on to the BizTalk Server computer from which party resolution is being configured, and import the certificate into the Local Computer \ Other People store. Trading partner public certificate - Specify values for the certificate Common Name and Thumbprint on the Certificates page of each Host Properties dialog box.
- Specify ResolveParty options in the Configure Pipeline dialog box. The Configure Pipeline dialog box is displayed by clicking the button next to the Receive pipeline drop-down list on the General page of the Receive Location Properties dialog box. Note: Configuration of this option requires the use of a pipeline that contains the Party resolution component. The XMLReceive pipeline contains the Party resolution component.
HTTPS (Sending) Account used by the host instance associated with the send handler SSL communication does not require a client certificate. Whether a client certificate is required is at the discretion of the destination Web server administrator. If the destination Web server requires a client certificate then follow these steps:

- Obtain the public certificate from the trading partner.
- Log on to each computer running BizTalk Server as the account used by the host instance associated with the send handler.
- Import the certificate into the Current User \ Personal store.

For information about configuring IIS to use SSL, see the Knowledge Base article HOW TO: Install Imported Certificates on a Web Server in Windows Server 2003 (https://go.microsoft.com/fwlink/?LinkId=155162).

For information about how to obtain a certificate using Windows Server 2003 Certificate Services Web pages, see Use Windows Server 2003 Certificate Services Web Pages (https://go.microsoft.com/fwlink/?LinkID=69975). Note: To use the Certificate Services Web page to obtain certificates from a Windows Server 2008 computer, see the Microsoft Knowledge Base article 922706 at https://go.microsoft.com/fwlink/?LinkId=155317 (https://go.microsoft.com/fwlink/?LinkId=155317).
Trading partner public certificate - HTTP Transport - Set the SSL client certificate thumbprint option on the Authentication tab of the HTTP Transport Properties dialog box. The HTTP Transport Properties dialog box is displayed by clicking the Configure button on the General page of the Send Port Properties dialog box.
- SOAP Transport - Set the Client certificate thumbprint option on the General tab of the SOAP Transport Properties dialog box. The SOAP Transport Properties dialog box is displayed by clicking the Configure button on the General page of the Send Port Properties dialog box.

In This Section